autorun.inf and setup.exe appearing on root

[n00bsaibot]

Hi.

I have read some complaints about this problem in the forums, but I can't remove it. Several weeks ago these 2 files start appearing in c:\ (where windows is installed). I delete both and then they reappear after some time. Now it seems autorun.inf is appearing in the other partition's root as well.

All I did so far is a ccleaner run. Booted in safemode and run spybot 1.4. Have all windows updates installed (windows xp pro sp2) and running norton av corporate updated as well.

I don't know if this is causing another issue I have here which I'll post later in windows OS forum, that summing up is a problem in which something stops some services (mainly windows audio service and network services) when the computer is ON for a while (sometimes hours, sometimes days), causing all windows audio to cease at all and networking too (mapping and disconnecting units for instance).

Thanks for any help. If you want to see a HJT log I'll post later.

 

[raybay]

Brand, model, age of pC, please... A full description can be helpful... also software and security installed.

 

[Jesse_hz]

I advise you to remove Norton and use either AVG or AntiVir instead.
--
Read this and then read this before posting any kind of logs here! If you decide to then make sure to follow the guide to the point and post your logs as attachments. Someone (not me) will have a look at them.
--

Brand, model, age of pC, please... A full description can be helpful... also software and security installed.

Any information about the specifications of your computer should be put in your public profile if you haven't already done that.

Hope it helps!

 

[n00bsaibot]

Brand, model, age of pC, please... A full description can be helpful... also software and security installed.

Windows XP PRO SP2 updated
Pentium 4 2.8 Ghz 800Mhz HT
2x512Mb DDR Corsair Dual Channel
MB - Asus P4P-800
Ati Radeon 9600XT 128Mb AGP
Seagate Barracuda SATA 120 Gb (2 partitions, System on C:\)
SoundBlaster Live 5.1
Realtek Gigabit Lan card
PC Age: 1,5 year or so.

Norton AV Corporate
Spybot SD 1.4
Sygate Personal Firewall 5.6

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.


If after reading the above you decide you want to clean your system, do the following.


Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.


Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of n00bsaibot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[n00bsaibot]

Thanks for the welcome Howard. I read all instructions and I want to clean it badly, mainly because it's been 2 months or so since I last formated.

I did everything stated on the recommended topic. And here is my Hijack log.
If you want I can attach both "autorun.inf" and "setup.exe" zipped for you to analyse.

 

[Rik]

There are no serious problems within your log, however thara are 2 entries that should be fixed.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

Click on the fix checked button.

Close HJT.



This thread is for the use of n00bsaibot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[howard_hopkinso]

As rik says, your HJT log is clean.

However, I`d still like you to attach an AVG Antispyware log as requested.

Regards Howard

This thread is for the use of n00bsaibot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[n00bsaibot]

I will do that HJT fix now, and post the AVG log asap. Just for you to know I uninstalled Norton and now I am using kaspersky trial. After a full scan if finds:

Trojan Program:
Trojan-Downloader.Win32.Agent.aii
File:
C:\setup.exe
D:\setup.exe

Everytime it pop's I click delete file. But it keeps coming back. I deactivated the firewall by now cause it's so annoying, it seems to ask me everything.

The log for AVG anti spy.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SnadBoy's Revelation v2

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ACTOFWAR.exe
Revelation.exe
setup.exe
EvID4226Patch.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\setup.exe
D:\setup.exe
D:\apps\popup.htm
D:\aow_v106.rar
D:\apps\EvID4226Patch223d-en.zip
D:\Program Files\SnadBoy's Revelation v2<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Go HERE and follow the instructions for running the Ccleaner programme.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

Attach the Autoruns log here, along with the combofix and HJT logs. I also need to see a fresh AVG Antispyware log.

Regards Howard

This thread is for the use of n00bsaibot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[n00bsaibot]

Hi, sorry for the lack of updates, but here are the requested logs.

And one other thing I noticed is that sometimes the detected threat in "setup.exe" is different. And sometimes it doesn't detect any at all. In all causes I always delete them.

Logs from Kaspersky:

deleted: Trojan-Downloader.Win32.Agent.aii	File: C:\setup.exe//UPX
deleted: Trojan program Trojan-Proxy.Win32.Horst.gen	File: C:\setup.exe//UPX
deleted: Trojan program Trojan-Proxy.Win32.Horst.ua	File: C:\setup.exe//UPX
deleted: Trojan program Trojan-Proxy.Win32.Horst.ua	File: D:\setup.exe//UPX

 

[howard_hopkinso]

I can`t see anything in your logs that looks nasty.

Download, install and run the trial of SpySweeper. See if that helps and let me know what it finds, if anything.

Regards Howard

This thread is for the use of n00bsaibot only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[n00bsaibot]

Thanks for all your help so far Howard, but I'm so tired and soon I'll be formatin' and reinstallin' everything again. This time I'll be careful to install an anti-virus and a firewall right after installing windows xp.